It looks like commercial auth servers may have their own internal ways of generating the 'kid' for the /jwks endpoint. This makes it harder to incorporate the pattern we have defined into it. This originally stemmed from the assumption that one auth server may be used for several things, but if something like 'NMOS' is split into its own 'realm' as seems to be relatively typical this may be less important and clients could be expected to consume all available keys.
It looks like commercial auth servers may have their own internal ways of generating the 'kid' for the /jwks endpoint. This makes it harder to incorporate the pattern we have defined into it. This originally stemmed from the assumption that one auth server may be used for several things, but if something like 'NMOS' is split into its own 'realm' as seems to be relatively typical this may be less important and clients could be expected to consume all available keys.
Whilst I'm testing with Keycloak, there's a similar issue recorded against OpenAM: https://bugster.forgerock.org/jira/browse/OPENAM-10478